SCA: security update for chromedriver (GHSA-hm92-vgmw-qfmx)

high Tenable Cloud Security Plugin ID 415833

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the
chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially
malicious actions on the host system. **Note:** An attacker must have access to the system running the
vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions
and privileges of the process running chromedriver. (CVE-2023-26156)

See Also

https://github.com/advisories/GHSA-hm92-vgmw-qfmx

Plugin Details

Severity: High

ID: 415833

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-26156

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/9/2023

Vulnerability Publication Date: 11/9/2023

Reference Information

CVE: CVE-2023-26156

cwe: CWE-78